CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54069

criticalcovered by 1 sourcefirst seen 2026-07-10
Summary SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. Affected Versions SiYuan <= v3.6.5 (commit 96dfe0bea474). The chrome-extension allowlist remains unfixed as of the latest commit on the fix branch (d7b77d945e0d). Vulnerability Details Blanket chrome-extension:// Origin Trust (CWE-346) In kernel/model/session.go:277, the CheckAuth middleware exempts all chrome-extension:// origins from authentication: if strings.HasPrefix(origin, "chrome-extension://") { // skip auth } At session.go:284, the request is assigned RoleAdministrator: c.Set("role", model.RoleAdministrator) The AccessAuthCode field defaults to an empty string for desktop installs (ContainerStd). When empty, no token validation occurs. This means any Chrome/Chromium extension can make fully authenticated admin API calls to the SiYuan kernel. The origin check trusts the entire chrome-extension:// scheme rather than validating a specific extension ID, so every installed extension (including those with no explicit host_permissions) can access all admin endpoints. Proof of Concept Unauthenticated admin API access via browser extension: A minimal Chrome extension with only default permissions: { "manifest_version": 3, "name": "SiYuan PoC", "version": "1.0", "background": { "service_worker": "bg.js" } } // bg.js -- runs as chrome-extension://<id> // No special host_permissions needed; localhost is accessible by default // 1. Verify admin access fetch('http://127.0.0.1:6806/api/system/getConf', { method: 'POST', headers: {

⚡ Watch CVE-2026-54069

Get an email if CVE-2026-54069 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54069

CVE.org record

Embed the live status

CVE-2026-54069 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54069 status](https://www.csirts.com/badge/CVE-2026-54069)](https://www.csirts.com/cve/CVE-2026-54069)